Security Rule: Required Items

Standards	Sections	Implementation Specifications (R)=Required, (A)=Addressable
Security Management Process	[164.308(a)(1)]	Risk Analysis (R)
		Risk Management (R)
		Sanction Policy (R)
		Information System Activity Review (R)
Assigned Security Responsibility	[164.308(a)(2)]	(R)
Information Access Management	[164.308(a)(4)]	Isolating Healthcare Clearinghouse Function (R)
Security Incident Procedures	[164.308(a)(6)]	Response and Reporting (R)
Contingency Plan	[164.308(a)(7)]	Data Backup Plan (R)
		Disaster Recovery Plan (R)
		Emergency Mode Operation Plan (R)
Evaluation	[164.308(a)(8)]	(R)
Business Associate Contracts and Other Arrangement.	[164.308(b)(1)]	Written Contract or Other Arrangement (R)
Workstation Use	[164.310(b)]	(R)
Workstation Security	[164.310(c)]	(R)
Device and Media Controls	[164.310(d)(1)]	Disposal (R)
Device and Media Controls	[164.310(d)(1)]	Media Re-use (R)
Access Control	[164.312(a)(1)]	Unique User Identification (R)
Access Control	[164.312(a)(1)]	Emergency Access Procedure (R)
Audit Controls	[164.312(b)]	(R)
Person or Entity Authentication	[164.312(d)]	(R)